argus 3 - direction determination algorithm
Carter Bullard
carter at qosient.com
Tue Apr 6 16:40:27 EDT 2010
Hey John,
The reset is probably negating some other logic, so let me take a look, and
check it out.
All the logic is already in the client library, so you don't have to do anything,
at least that is the design ;o)
Carter
On Apr 6, 2010, at 4:11 PM, John Gerth wrote:
> On 4/6/2010 12:58 PM, Carter Bullard wrote:
>> Hey John,
>> In argus-3.0, we removed most of the direction logic out of argus, and moved
>> it into the clients, just for this very situation. argus-2.x would declare that the
>> originator of a SYN_ACK packet was the destination, regardless of what was
>> going on, and we put a lot of complex logic in the clients to try to deal with
>> that when it was a A.SYN_ACK / B.RESET volley.
>>
>> You should be getting that A is the source, now, and that B is the destination.
>> If that is not correct, then, could you send some flow records that demonstrate
>> the problem, so I can debug? Better yet, if you had a packet capture, then
>> I can debug the whole flow thread. I'll look around for a packet trace, maybe
>> on
>>
> Attached is an extract done with:
> ra -r ar-2010-04-06.12 -w ~/win/synack.argus - host 69.16.172.40 and port 6667
> It shows that most of the S/A are src'ed remotely but whenever there's an R, ra
> shows it the other way. It's conceivable that this is our fault if somehow the
> span ports are dumping things down incorrectly (I don't have bi-directional timing
> turned on), but this seems oddly consistent.
>
> I do not have a pcap as I found this out afterwards and we normally just record flows.
>
> If clients are supposed to do the direction determination, I guess I should plan
> on fixing mine up and will want to know what rules you normally use in your clients.
>
> --
> John Gerth gerth at cs.stanford.edu Gates 378 (650) 725-3273 fax 723-0033
> <synack.argus.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100406/1778fe5c/attachment.bin>
More information about the argus
mailing list